Qilin Top Ransomware Threat to SLTTs in Q2 2025

CIS CTI profiles the Qilin (Agenda) RaaS, which became the most active ransomware against U.S. State, Local, Tribal, and Territorial entities in Q2 2025, with 29 incidents reported since Dec 2023 (over half in Q2). The group runs a double-extortion model with data theft and leak-site pressure, demanding up to $500K, and gains access via phishing, exposed services (e.g., RDP), and exploitation of critical FortiGate CVEs and SAP CVE-2025-31324. Reported post-compromise tools include Cobalt Strike, SmokeLoader, NETXLOADER, PsExec, NetExec, WinRM, and WinRAR for collection/exfiltration, with observed impacts spanning municipal, county, education, healthcare, and emergency services.